elastic · gergoabraham · Mar 31, 2026 · Mar 22, 2026 · Mar 22, 2026 · Mar 22, 2026
@@ -463,6 +463,7 @@ export const getDocLinks = ({ kibanaBranch, buildFlavor }: GetDocLinkOptions): D
       installElasticDefend: `${ELASTIC_DOCS}solutions/security/configure-elastic-defend/install-elastic-defend`,
       avcResults: `https://www.elastic.co/blog/elastic-security-av-comparatives-business-test`,
       bidirectionalIntegrations: `${ELASTIC_DOCS}solutions/security/endpoint-response-actions/third-party-response-actions`,
+      endpointExceptions: `${ELASTIC_DOCS}solutions/security/manage-elastic-defend/elastic-endpoint-exceptions`,
       trustedApps: `${ELASTIC_DOCS}solutions/security/manage-elastic-defend/trusted-applications`,
       trustedDevices: `${ELASTIC_DOCS}solutions/security/manage-elastic-defend/trusted-devices`,
       elasticAiFeatures: `${ELASTIC_DOCS}solutions/security/ai`,

@@ -329,6 +329,7 @@ export interface DocLinks {
     readonly avcResults: string;
     readonly bidirectionalIntegrations: string;
     readonly thirdPartyLlmProviders: string;
+    readonly endpointExceptions: string;
     readonly trustedApps: string;
     readonly trustedDevices: string;
     readonly elasticAiFeatures: string;

@@ -268,6 +268,18 @@ const securitySolutionApiServiceFactory = (supertest: SuperTest.Agent) => ({
       .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
       .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
   },
+  getEndpointExceptionsPerPolicyOptIn(kibanaSpace: string = 'default') {
+    return supertest
+      .get(
+        getRouteUrlForSpace(
+          '/internal/api/endpoint/endpoint_exceptions_per_policy_opt_in',
+          kibanaSpace
+        )
+      )
+      .set('kbn-xsrf', 'true')
+      .set(ELASTIC_HTTP_VERSION_HEADER, '1')
+      .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
+  },
   getEndpointMetadataList(props: GetEndpointMetadataListProps, kibanaSpace: string = 'default') {
     return supertest
       .get(getRouteUrlForSpace('/api/endpoint/metadata', kibanaSpace))
@@ -328,6 +340,18 @@ const securitySolutionApiServiceFactory = (supertest: SuperTest.Agent) => ({
       .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
       .query(props.query);
   },
+  performEndpointExceptionsPerPolicyOptIn(kibanaSpace: string = 'default') {
+    return supertest
+      .post(
+        getRouteUrlForSpace(
+          '/internal/api/endpoint/endpoint_exceptions_per_policy_opt_in',
+          kibanaSpace
+        )
+      )
+      .set('kbn-xsrf', 'true')
+      .set(ELASTIC_HTTP_VERSION_HEADER, '1')
+      .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
+  },
   /**
    * Run a script on a host. Currently supported only for some agent types.
    */

@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Endpoint Exceptions Per Policy Opt-In API
+ *   version: 1
+ */
+
+import { z } from '@kbn/zod/v4';
+
+export type GetEndpointExceptionsPerPolicyOptInResponse = z.infer<
+  typeof GetEndpointExceptionsPerPolicyOptInResponse
+>;
+export const GetEndpointExceptionsPerPolicyOptInResponse = z.object({
+  status: z.boolean(),
+  reason: z.enum(['newDeployment', 'userOptedIn']).optional(),
+});
@@ -0,0 +1,42 @@
+openapi: 3.0.0
+info:
+  title: Endpoint Exceptions Per Policy Opt-In API
+  version: '1'
+paths:
+  /internal/api/endpoint/endpoint_exceptions_per_policy_opt_in:
+    get:
+      summary: Retrieve endpoint exceptions per policy opt-in
+      operationId: GetEndpointExceptionsPerPolicyOptIn
+      x-codegen-enabled: true
+      x-labels: []
+      #      TODO: When the feature flag `endpointExceptionsMovedUnderManagement` is enabled, remove empty `x-labels` and un-comment the line below.
+      #      x-labels: [ ess, serverless ]
+      x-internal: true
+      responses:
+        '200':
+          description: OK
+          content:
+            application/json:
+              schema:
+                type: object
+                required:
+                  - status
+                properties:
+                  status:
+                    type: boolean
+                  reason:
+                    type: string
+                    enum: [newDeployment, userOptedIn]
+
+    post:
+      summary: Opt-in to endpoint exceptions per policy
+      operationId: PerformEndpointExceptionsPerPolicyOptIn
+      x-codegen-enabled: true
+      x-labels: []
+      #      TODO: When the feature flag `endpointExceptionsMovedUnderManagement` is enabled, remove empty `x-labels` and un-comment the line below.
+      #      x-labels: [ ess, serverless ]
+      x-internal: true
+      responses:
+        '200':
+          description: OK
+
@@ -186,6 +186,7 @@ import type {
   EndpointGetActionsStatusRequestQueryInput,
   EndpointGetActionsStatusResponse,
 } from './endpoint/actions/status/status.gen';
+import type { GetEndpointExceptionsPerPolicyOptInResponse } from './endpoint/endpoint_exceptions_per_policy_opt_in/endpoint_exceptions_per_policy_opt_in.gen';
 import type {
   GetEndpointMetadataListRequestQueryInput,
   GetEndpointMetadataListResponse,
@@ -1872,6 +1873,18 @@ finalize it.
       })
       .catch(catchAxiosErrorFormatAndThrow);
   }
+  async getEndpointExceptionsPerPolicyOptIn() {
+    this.log.info(`${new Date().toISOString()} Calling API GetEndpointExceptionsPerPolicyOptIn`);
+    return this.kbnClient
+      .request<GetEndpointExceptionsPerPolicyOptInResponse>({
+        path: '/internal/api/endpoint/endpoint_exceptions_per_policy_opt_in',
+        headers: {
+          [ELASTIC_HTTP_VERSION_HEADER]: '1',
+        },
+        method: 'GET',
+      })
+      .catch(catchAxiosErrorFormatAndThrow);
+  }
   async getEndpointMetadataList(props: GetEndpointMetadataListProps) {
     this.log.info(`${new Date().toISOString()} Calling API GetEndpointMetadataList`);
     return this.kbnClient
@@ -2653,6 +2666,20 @@ The difference between the `id` and `rule_id` is that the `id` is a unique rule
       })
       .catch(catchAxiosErrorFormatAndThrow);
   }
+  async performEndpointExceptionsPerPolicyOptIn() {
+    this.log.info(
+      `${new Date().toISOString()} Calling API PerformEndpointExceptionsPerPolicyOptIn`
+    );
+    return this.kbnClient
+      .request({
+        path: '/internal/api/endpoint/endpoint_exceptions_per_policy_opt_in',
+        headers: {
+          [ELASTIC_HTTP_VERSION_HEADER]: '1',
+        },
+        method: 'POST',
+      })
+      .catch(catchAxiosErrorFormatAndThrow);
+  }
   /**
     * Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs.
 

@@ -135,6 +135,9 @@ export const ENDPOINT_ERROR_CODES: Record<string, number> = {
 export const ENDPOINT_FIELDS_SEARCH_STRATEGY = 'endpointFields';
 export const ENDPOINT_SEARCH_STRATEGY = 'endpointSearchStrategy';
 
+/** Endpoint Exceptions routes */
+export const ENDPOINT_EXCEPTIONS_PER_POLICY_OPT_IN_ROUTE = `${BASE_INTERNAL_ENDPOINT_ROUTE}/endpoint_exceptions_per_policy_opt_in`;
+
 /** Search strategy keys */
 export const ENDPOINT_PACKAGE_POLICIES_STATS_STRATEGY = 'endpointPackagePoliciesStatsStrategy';